Example 42: Tip of the Week 39 – Secure data management with multiple eyaml keys

综合技术 2017-09-25 阅读原文

With improved security implementations it is often required that keys must be separate among different infrastructure stages. This means that we have to deal with multiple eyaml keys for production-stage and ci- and development-stage.

Nobody may have the private production key. Everybody should have access to the production public key (which is used for encryption). All other keys can be made available to everybody.

First let’s set some top scope variable by analysing facts:

# Set top scope variables
# eyaml key selection based on existence of an external fact:
#  'eyaml_private_base_path'
# when fact is set, then we run on spec tests keys
# otherwise we use production keys
if has_key($::facts, 'eyaml_private_base_path') {
  $eyaml_selector = 'development'
} else {
  $eyaml_private_base_path = '/etc/puppetlabs/puppet/eyaml'
  $eyaml_selector = 'production'

Now let’s adopt our hiera yaml:

version: 5
  datadir: data

  - name: "Data"
    lookup_key: eyaml_lookup_key
      - "hosts/%{::trusted.certname}.yaml"
      - "hosts/%{::trusted.certname}_secrets_%{::eyaml_selector}.yaml"
      - "role/%{::role}/%{::env}.yaml"
      - "role/%{::role}/%{::env}_secrets_%{::eyaml_selector}.yaml"
      - "role/%{::role}.yaml"
      - "role/%{::role}_secrets_%{::eyaml_selector}.yaml"
      - "zone/%{::zone}.yaml"
      - "zone/%{::zone}_secrets_%{::eyaml_selector}.yaml"
      - "common_secrets_%{::eyaml_selector}.yaml"
      - common.yaml
      pkcs7_private_key: "%{::eyaml_private_base_path}/private_key.pkcs7_%{::eyaml_selector}.pem"
      pkcs7_public_key: "/etc/puppetlabs/code/environments/%{::environment}/eyaml/keys/public_key.pkcs7_%{::eyaml_selector}.pem"

This will lead to a quite complex hierarchy, with the benefit of separating encryptions done with different keys.

All *_secrets_production.yaml files contain secrets encrypted with the production key. All *_secrets_development.yaml files contain secrets encrypted with the development key.

On the other hand it is easy to find missing encrypted production keys by comparing the hiera data keys in both yaml files.

Martin Alfke

Planet Puppet

责编内容by:Planet Puppet阅读原文】。感谢您的支持!


2017Commvault合作伙伴峰会即将启航 企业数据保护及信息管理公司 Commvault (纳斯达克交易代码: CVLT )今日宣布, 每年一度的 Commvault 合作伙伴...
Data Management Gateway – High Availability ... We are excited to announce the preview for Data Management Gateway - High Availability and Scalability. You can now...
CryptDB代码分析3-元数据管理结构 本文是CryptDB代码分析的第三篇。在CryptDB中,需要对加密过程进行记录:比如某个表的原始名字和加密以后的名字,表中有多少列,每列用了什么样的加密算法。这些信息被记录在mysql-proxy端的embedded MySQL中。Cry...
融资平台的银行信贷大数据管理现存问题汇总... 根据上述财政监督系统文件对银行融资平台信贷数据进行管理将可以有效提升银行信用风险管理与财政监水平,但目前在使用当中仍然存在着较多问题。 (一)融资平台贷前数据管理的问题 1、未将地方财政纳入评级体系 融资平台是政府融资平台类客户...
Commvault完成自我新“画像”,以新面貌示人!... 通过用户画像,电商实现了用户认知和业务创新的结合。有评论认为,通过用户画像等大数据应用,电商会比消费者更加了解消费者自己。这可能吗?当然有可能,原因也很简单,因为人会遗忘;但是数据不会遗忘,通过大数据系统分析,机器会比人更加全面、深入了解人...